)]}' { "commit": "f798a1d4f94de9510e060d37b9b47721065a957c", "tree": "cfdfdecb4b48c59496dc87fed453a07c1fd06205", "parents": [ "e79ce9832316e09529b212a21278d68240ccbf1f" ], "author": { "name": "Suren Baghdasaryan", "email": "surenb@google.com", "time": "Fri Feb 25 19:11:05 2022 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Sat Feb 26 09:51:17 2022 -0800" }, "message": "mm: fix use-after-free bug when mm-\u003emmap is reused after being freed\n\noom reaping (__oom_reap_task_mm) relies on a 2 way synchronization with\nexit_mmap. First it relies on the mmap_lock to exclude from unlock\npath[1], page tables tear down (free_pgtables) and vma destruction.\nThis alone is not sufficient because mm-\u003emmap is never reset.\n\nFor historical reasons[2] the lock is taken there is also MMF_OOM_SKIP\nset for oom victims before.\n\nThe oom reaper only ever looks at oom victims so the whole scheme works\nproperly but process_mrelease can opearate on any task (with fatal\nsignals pending) which doesn\u0027t really imply oom victims. That means\nthat the MMF_OOM_SKIP part of the synchronization doesn\u0027t work and it\ncan see a task after the whole address space has been demolished and\ntraverse an already released mm-\u003emmap list. This leads to use after\nfree as properly caught up by KASAN report.\n\nFix the issue by reseting mm-\u003emmap so that MMF_OOM_SKIP synchronization\nis not needed anymore. The MMF_OOM_SKIP is not removed from exit_mmap\nyet but it acts mostly as an optimization now.\n\n[1] 27ae357fa82b (\"mm, oom: fix concurrent munlock and oom reaper unmap, v3\")\n[2] 212925802454 (\"mm: oom: let oom_reap_task and exit_mmap run concurrently\")\n\n[mhocko@suse.com: changelog rewrite]\n\nLink: https://lore.kernel.org/all/00000000000072ef2c05d7f81950@google.com/\nLink: https://lkml.kernel.org/r/20220215201922.1908156-1-surenb@google.com\nFixes: 64591e8605d6 (\"mm: protect free_pgtables with mmap_lock write lock in exit_mmap\")\nSigned-off-by: Suren Baghdasaryan \u003csurenb@google.com\u003e\nReported-by: syzbot+2ccf63a4bd07cf39cab0@syzkaller.appspotmail.com\nSuggested-by: Michal Hocko \u003cmhocko@suse.com\u003e\nReviewed-by: Rik van Riel \u003criel@surriel.com\u003e\nReviewed-by: Yang Shi \u003cshy828301@gmail.com\u003e\nAcked-by: Michal Hocko \u003cmhocko@suse.com\u003e\nCc: David Rientjes \u003crientjes@google.com\u003e\nCc: Matthew Wilcox \u003cwilly@infradead.org\u003e\nCc: Johannes Weiner \u003channes@cmpxchg.org\u003e\nCc: Roman Gushchin \u003croman.gushchin@linux.dev\u003e\nCc: Rik van Riel \u003criel@surriel.com\u003e\nCc: Minchan Kim \u003cminchan@kernel.org\u003e\nCc: Kirill A. Shutemov \u003ckirill@shutemov.name\u003e\nCc: Andrea Arcangeli \u003caarcange@redhat.com\u003e\nCc: Christian Brauner \u003cbrauner@kernel.org\u003e\nCc: Christoph Hellwig \u003chch@infradead.org\u003e\nCc: Oleg Nesterov \u003coleg@redhat.com\u003e\nCc: David Hildenbrand \u003cdavid@redhat.com\u003e\nCc: Jann Horn \u003cjannh@google.com\u003e\nCc: Shakeel Butt \u003cshakeelb@google.com\u003e\nCc: Andy Lutomirski \u003cluto@kernel.org\u003e\nCc: Christian Brauner \u003cchristian.brauner@ubuntu.com\u003e\nCc: Florian Weimer \u003cfweimer@redhat.com\u003e\nCc: Jan Engelhardt \u003cjengelh@inai.de\u003e\nCc: Tim Murray \u003ctimmurray@google.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "1e8fdb0b51eddcb8bce46b6f7c0648980827ea04", "old_mode": 33188, "old_path": "mm/mmap.c", "new_id": "d445c1b9d60650b58c39c3688405567598c71fd9", "new_mode": 33188, "new_path": "mm/mmap.c" } ] }